On Fri, 3 Apr 2009 10:45:46 +0800
Mark David Dumlao <madum...@gmail.com> wrote:
> On Thu, Mar 12, 2009 at 4:13 PM, Alan McKinnon
> <alan.mckin...@gmail.com> wrote:
> > On Thursday 12 March 2009 10:07:03 Dale wrote:
> >> I do understand that getting something stable and working then
> >> wanting to keep it that way. I'm just wondering what his mileage
> >> may be in the long run.
Here's the first significant result with a sync today:
These are the packages that would be merged, in reverse order:
Calculating dependencies... done!
[ebuild U ] app-text/xpdf-3.02-r2 [3.02-r1] USE="-nodrm" LINGUAS="-ar -el
-he -ja -ko -la -ru -th -tr -zh_CN -zh_TW" 0 kB
Total: 1 package (1 upgrade), Size of downloads: 0 kB
Ahh. ;-)
I guess what's important, unless I see some particular reason to upgrade
something, would be this:
glsa-check -tv affected
This system is affected by the following GLSAs:
200808-09 ( OpenLDAP: Denial of Service vulnerability )
200903-11 ( PyCrypto: Execution of arbitrary code )
for glsa in `glsa-check -t affected` ; do glsa-check -p $glsa ; done
This system is affected by the following GLSAs:
Checking GLSA 200808-09
The following updates will be performed for this GLSA:
net-nds/openldap-2.4.11-r1 (2.3.41)
Checking GLSA 200903-11
The following updates will be performed for this GLSA:
dev-python/pycrypto-2.0.1-r8 (2.0.1-r6)
In the interest of writing really ugly bash scripts:
# for glsa in `glsa-check -t affected` ; do equery d $( glsa-check -p $glsa
|grep -P '^\s+\w+-\w+/' | perl -pe 's/^\s+(\w+-\w+\/.+)-\d[\d.].+/$1/' ) ; done
This system is affected by the following GLSAs:
[ Searching for packages depending on net-nds/openldap... ]
app-admin/sudo-1.7.0 (ldap? >=net-nds/openldap-2.1.30-r1)
app-crypt/gnupg-2.0.10 (!static & ldap? net-nds/openldap)
(ldap? net-nds/openldap)
app-emulation/wine-1.1.12 (ldap? net-nds/openldap)
dev-db/postgresql-base-8.3.5 (ldap? net-nds/openldap)
dev-libs/apr-util-1.3.4 (ldap? =net-nds/openldap-2*)
gnome-base/gconf-2.24.0 (ldap? net-nds/openldap)
gnome-extra/evolution-data-server-2.24.5-r2 (ldap? >=net-nds/openldap-2.0)
mail-client/claws-mail-3.7.1 (ldap? >=net-nds/openldap-2.0.7)
net-firewall/ipsec-tools-0.7.1 (ldap? net-nds/openldap)
net-fs/samba-3.0.33 (ldap? net-nds/openldap)
net-misc/curl-7.19.4 (ldap? net-nds/openldap)
net-misc/openssh-5.1_p1-r2 (ldap? net-nds/openldap)
net-misc/openswan-2.4.13-r2 (ldap? net-nds/openldap)
net-print/cups-1.3.9-r1 (ldap? net-nds/openldap)
www-servers/apache-2.2.10 (ldap? =net-nds/openldap-2*)
[ Searching for packages depending on dev-python/pycrypto... ]
sys-apps/portage-2.1.6.7 (!build? >=dev-python/pycrypto-2.0.1-r6)
Looks like I can fix the use flag and clean out ldap if I want to do so, but
I'm stuck with pycrypto (or the build use flag):
euse -i build
global use flags (searching: build)
************************************************************
[- ] build - !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used for
creating build images and the first half of bootstrapping [make stage1]
... that's pretty clear. '-)
> >
> > I can only imagine what will happen if he forgets that package.mask
> > and then removes it six months later:-)
>
> I too, have spent a couple of days wondering what was masking a
> package before remembering that it was me.
>
And just to see if there's any upside evident:
mv /etc/portage/package.mask /etc/portage/package.mask.bak && emerge -puDNtv
system && mv /etc/portage/package.mask.bak /etc/portage/package.mask
These are the packages that would be merged, in reverse order:
Calculating dependencies... done!
[ebuild U ] net-misc/openssh-5.2_p1-r1 [5.1_p1-r2] USE="X pam tcpd -X509
-hpn -kerberos -ldap -libedit -pkcs11% (-selinux) -skey -smartcard -static" 993
kB
[ebuild U ] sys-devel/gcc-4.3.3-r2 [4.3.2-r3] USE="fortran gtk mudflap nls
openmp (-altivec) -bootstrap -build -doc (-fixed-point) -gcj (-hardened) -ip28
-ip32r10k -libffi (-multilib) -multislot (-n32) (-n64) -nocxx -nopie -objc
-objc++ -objc-gc -test -vanilla" 58,063 kB
Total: 2 packages (2 upgrades), Size of downloads: 59,055 kB
Hmm.
# mv /etc/portage/package.mask /etc/portage/package.mask.bak && emerge -puDNtv
world && mv /etc/portage/package.mask.bak /etc/portage/package.mask
These are the packages that would be merged, in reverse order:
Calculating dependencies... done!
[ebuild U ] dev-java/sun-jre-bin-1.6.0.13 [1.6.0.12] USE="X alsa nsplugin
odbc" 78,284 kB [0]
(... and some perl modules).
So, that's ssh, gcc and java I can pass on today... figure I can unmask in a
month and update any of these packages, if I feel like it. But,
http://bugs.gentoo.org/buglist.cgi?quicksearch=xpdf (search on the one update I
took), it looks like there was a good gentoo reason and maybe a good gentoo
response.
As I understand it, if the maintainer thinks the recent changes/patches are
significant, I'll get a -rN for a new ebuild.
OTOH, If there's a new version of something I care about tracking new releases,
I'll unmask it. If there's a security thing, I can do the same...
Maybe any other ebuilds offered in the tree can wait until I see what happens
to everyone else first. ;-)
. . .
Meanwhile, I do know that there's a security hole found on something I have
installed from an overlay, where the fix was released in a new version
upstream. So there's one downside, anyway.
Cheers,
--
|\ /| | | ~ ~
| \/ | |---| `|` ?
| |ichael | |iggins \^ /
michael.higgins[at]evolone[dot]org
